FY17 Annual Risk Assessment and Internal Audit Plan

Size: px

Start display at page:

Download "FY17 Annual Risk Assessment and Internal Audit Plan"

Ellen Webster
6 years ago
Views:

1 Internal Audit Program Planning Report FY17 Annual Risk Assessment and Internal Audit Plan May 2016 Approved: Barry Long, Director Audit & Management Advisory Services

2 Table of Contents I. SUMMARY... 3 II. ALLOCATION AND USE OF RESOURCES Schedule 1 Personnel Gross & Net Available Hours... 4 Schedule 2 Activity Report Distribution of Net Available Hours... 5 Schedule 1, 2 Cross Check... 6 III. PLAN DETAIL Schedule 3 - Internal Audit Plan Detail... 7 Schedule 3A - FY17 UCSC Internal Audit Plan Topic Description... 9 Schedule 3B - FY17 Audit Plan-Strategic Alignment IV. INTERNAL AUDIT ANNUAL RISK ASSESSMENT / INTEGRATION WITH CAMPUS RISK INTELLIGENCE Exhibit 1 AMAS Risk Assessment Process Exhibit 2 AMAS Risk Assessment Factors and Scoring V. APPENDICIES APPENDIX A Top Rated Topics from Audit Universe APPENDIX B UC Audit Universe APPENDIX C List of Leaders Interviewed by Position

3 I. SUMMARY Audit & Management Advisory Services (AMAS) has completed its FY17 annual risk assessment and internal audit planning exercise, leading to the development of the FY17 Internal Audit Plan. This report provides a compilation of documents including our planned allocation and use of resources, and plan detail referred to as Schedules 1, 2 and 3 (A and B). These schedules were requested as part of this year s audit plan call from the UC Ethics, Compliance and Audit Office and used for rollup to the systemwide internal audit program report for regental approval. Additional appendices have been provided supporting information outlining this year s effort. The following list of topics represents a summary of the FY Internal Audit Plan: FY17 Planned Audits/Management Advisory Services Risk Based Audits Distributed User Authentication Controls IT End Point Security (BigFix) Laptop Security Independent Contactors Export Control Awareness Update Laser Safety Conflict of Interest Disclosures on Federal Contracts Use of Consultants Systemwide Requested Audits Systemwide Project Placeholder (TBD) Chancellor's Expenses - BFB G-45 bi-yearly Annual Report on Executive Compensation (AREC) Requested and Risk Based Consulting Services/Management Advisory Services OPERS Financial Review Summer Session Operations NCAA Report Annual Review Other AMAS Projects Spreadsheet Use and Reporting Survey Data Analytics Initiative In addition to this list of projects, approximately 4% of our net available resource time has been allocated for unplanned investigations and investigation support activities, and a similar amount of unplanned supplemental audits to address requests for our services that may come up during the year. The FY17 Internal Audit Plan takes into account the resource constraints of the internal audit office and maximizes the skill set mix of the existing AMAS staff. 3

4 II. ALLOCATION AND USE OF RESOURCES Audit & Management Advisory Services (AMAS) is comprised of a Director, three professional audit staff, and one senior administrative analyst. Professional staffing resources are allocated as follows: Schedule 1 - Personnel Gross & Net Available Hours, outlines the net available hours dedicated to the UCSC internal audit program. FY17 Internal Audit Plan - Schedules 1 & 2 5/20/16 Schedule 1 UCSC Schedule 1 - Personnel Gross & Net Available Hours Calculation Total Year FTE's Q1 7/1/16 9/30/2016 Q2 10/1/16-12/31/16 Q3 1/1/17-3/31/2017 Q4 4/1/17-6/30/2017 Number of authorized professional staff Number of Permanently OPEN Authorized Professional Staff Positions Number of professional positions at full staffing PLANNED ACTUAL FTEs Beginning of Period Additions--Permanent Additions--Temporary Departure --Within UC (0.00) Departure--Outside UC (0.00) Retirements (0.00) Long-Term Leave (0.00) Estimated Turnover (0.00) End of Period GROSS & NET AVAILABLE HRS CALCULATION Total Year Hours Q1 7/1/16 9/30/2016 Q2 10/1/16-12/31/16 Q3 1/1/17-3/31/2017 Q4 4/1/17-6/30/2017 Weighted Avg. FTE's Hours in the period - 2, Hours in the period - Lab 0 Subtotal - Lab / 8, Other Resources: Overtime Contract Labor/Interns Recharge In (or Out) Admin. & Other Subtotal Gross Available Hours 8, Non Controllable Hours 1, Non Controllable Hours Percent 17.88% 12.82% 23.94% 17.79% 17.40% Net Available Hours 6,

5 Schedule 2 Activity Report Distribution of Net Available Hours, outlines the allocation of hours to direct and indirect categories. FY17 Internal Audit Plan 5/20/16 Schedule 2 Distribution of Net Available Hours UCSC Schedule 2 - Activity Report Distribution of Net Available Hours INDIRECT HOURS UCOP % Guideline Total Year Hours Q1 7/1/16 9/30/2016 Q2 10/1/16-12/31/16 Q3 1/1/17-3/31/2017 Q4 4/1/17-6/30/2017 Administration 5--10% Professional Development 2--5% Other 0--3% Total Indirect Hours 1, Total Indirect Percent 15% 15.03% 10.15% 15.80% 17.54% 17.46% DIRECT HOURS Audit Program Prior Year Audits Not Completed, DNF Planned New Audits, PN 3, Supplemental Audits, PS Approx. 10% Audit Follow up, PNF Total Audit Program Hours 3, Total Audit Program Percent % 52.58% 39.40% 56.83% 57.72% 58.67% Advisory Services Consultations/Spec. Projects, SC 1, Ext. Audit Coordination, SE Internal Control & Accountability, SI IPA, COI & Other, SP Compliance Support, SU Systems Dev., Reengineering Teams, etc., SR Total Advisory Services Hours 1, Total Advisory Services Percent % 23.15% 42.34% 16.56% 15.32% 14.96% Investigations Hours, IN Investigations Percent % 3.58% 3.14% 3.92% 3.63% 3.73% Audit Support Activities Audit Planning Audit Committee Support Systemwide Audit Support Computer Support Quality Assurance Total Audit Support Hours Total Audit Support Percent 5--10% 5.66% 4.97% 6.89% 5.79% 5.18% Total Direct Hours 5, Total Direct Percent 85% 84.97% 89.85% 84.20% 82.46% 82.54% Total Net Available Hours 6, Total Net Available Percent 100% % % % % % 5

Schedule 1, 2 - Cross Check Schedule 1,2 - Cross Check Total Year Hours Q1 7/1/16 9/30/2016 Q2 10/1/16-12/31/16 Q3 1/1/17-3/31/2017 Q4 4/1/17-6/30/2017 Total net available hours (From Sch 1) 6982.

6 Schedule 1, 2 - Cross Check Schedule 1,2 - Cross Check Total Year Hours Q1 7/1/16 9/30/2016 Q2 10/1/16-12/31/16 Q3 1/1/17-3/31/2017 Q4 4/1/17-6/30/2017 Total net available hours (From Sch 1) Total net available hours (From Sch 2) Total A+AS+IN (Scd 3 Check) Actual FTEs, End of Period (Check down) Avail. Hours, Other Res., Subtotal (Check Down) Gross Available Hours Net Available Hours Indirect Hours Audit Program Audit Support Activities Investigations Hours Advisory Services Total Direct Hours Net Available Hours

7 III. PLAN DETAIL Schedule 3 Internal Audit Plan Detail Provides a list of the Planned Audits and Planned Advisory Services, identifying information, and planned hours. UNIVERSITY OF CALIFORNIA INTERNAL AUDIT PLAN DETAIL 06/09/16 UCSC FY2017 Planned Primary Index FY LOB LOC Type Prj Code Name/Title of Audit Hours Code Est. Qtr Completion Prior Year Audits Not Completed (DNFs) FY17 SC DNF 0 (a) Subtotal - Planned Carry Forward 0 Planned New Audits (PNs) FY17 SC PN SC Distributed User Authentication Controls 350 G.a.01 Q2 FY17 SC PN SC Information Technology End Point Security (BigFix) 350 G.a.01 Q3 FY17 SC PN SC Laptop Security 350 G.a.01 Q1 FY17 SC PN SC Independent Contactors 350 H.f.01 Q2 FY17 SC PN SC Export Control Awareness Update 350 E.a.03 Q3 FY17 SC PN SC Laser Safety 350 I.b.03 Q4 FY17 SC PN SC Conflict of Interest Disclosures on Federal Contracts 350 E.a.02 Q2 FY17 SC PN SC Chancellor's Expenses UC Policy BFB-G-45 (systemwide) 150 J.b.07 Q3 FY17 SC PN SC Annual Report on Executive Compensation (AREC) (systemwide) 150 J.b.06 Q3 FY17 SC PN SC Use of Consultants 200 H.f.01 Q4 FY17 SC PN SC Audit Placeholder (systemwide) (b) Subtotal - Planned New Audits 3250 FY17 SC PS - (c) Planned Supplemental Audits (lump sum) FY17 SC PNF - (d) Audit Follow Up (lump sum) Total Planned Audit Program (a+b+c+d) (1) 3671 Planned Advisory Services: FY17 SC SC SC Office of Physical Education, Recreation and Sports (OPERS) Financial Review 350 M.a.01 Q1 FY17 SC SC SC Summer Session Operations 300 A.c.02 Q4 FY17 SC SC SC IAS Annual Risk Assessment and Audit Plan Q4 FY17 SC SC SC National Collegiate Athletic Association (NCAA) Report Annual Review 60 M.a.01 Q3 FY17 SC SC SC Spreadsheet Use and Reporting Survey 80 Z.a.05 Q4 FY17 SC SC SC Data Analytics Initiative 80 Z.a.06 Q4 FY17 SC SC - Student Intern Program FY17 SC SC - Compliance/ Ethics and Compliance Officer (CECO) Support FY17 SC SC - Business & Administrative Services (BAS) Committees/Workgroups FY17 SC SC - Investigation Workgroup FY17 SC SC - Information Technology Security Committee FY17 SC SC - Business & Administrative Services (BAS) Support FY17 SC SC - University of California Laboratory Audit Committee Support (e) Subtotal - Planned Advisory Services

8 Unplanned Advisory Services (by Category) (2) FY17 SC SE External Audit Coordination (SE) FY17 SC SI Internal Control & Accountability (CRSA) (SI) FY17 SC SP IPA, COI & Other (SP) FY17 SC SU Compliance Support (SU) FY17 SC SR Systems Development, Reengineering Teams (SR) (f) Subtotal - Unplanned Advisory Services 31 Total Advisory Services (e+f) (1) 1616 IN Planned Investigation Hours (lump sum) 250 Total Audits, Advisory Services, and Investigations 5537 (1) Must tie with Audit Program and Advisory Services on Schedule 2 Activity Report (2) enter lump sums for each applicable AS category (i.e. - SC, SE) 8

9 Schedule 3A FY17 UCSC Internal Audit Plan Topic Description Provides a brief description outlining the topic and initial purpose statement, subject to revision. Planned Internal Audits Project Number - Title of Project / Purpose Statement SC Distributed User Authentication Controls Determine the adequacy of controls over user authentication and access to campus computing resources maintained by users within campus divisions. SC IT End Point Security (BigFix) Determine the level and coverage provided to end user workstations using existing centralized security software. SC Laptop Security Review security measures in place on campus to protect information maintained on laptop computers. SC Independent Contactors Evaluate the adequacy of controls and determine the appropriateness of the campus use of independent contractors. SC Export Control Awareness Update Determine if actions intended to improve awareness of export controls within the PI community as identified in previous internal audits have been adequately addressed. SC Laser Safety Evaluate the level of exposure and safety practices in place over the use of lasers. SC Conflict of Interest Disclosures on Federal Contracts Determine if conflict of interest disclosures are appropriately and accurately filed on federal contracts and grants. SC Chancellor's Expenses - BFB G-45 bi-yearly System wide requested topic - To determine compliance with the two financial reports on Chancellor s expenses, required by UC Business Finance Bulletin (BFB) G-45. SC Annual Report on Executive Compensation (AREC) System wide requested topic - To review and evaluate the completeness and accuracy of the Annual Report of Executive Compensation (AREC). SC Use of Consultants Identify the level of use and evaluate the appropriateness of services provided through consultant agreements/contracts. 9

10 Project Number - Title of Project / Purpose Statement Management Advisory/Consultation Services SC SC SC SC SC SC OPERS Financial Review Review the appropriateness of OPERS accounting practices, and administration and use of related referenda fees; identify the base level and prepare a forecast of future facility fee needs; and evaluate the historical and current use of reserve funds. Summer Session Operations To review the summer session operation, associated costs, and explore opportunities for potential growth or direction. IAS Annual Risk Assessment and Audit Plan Conduct the annual risk assessment and audit planning exercise. Integrate risk assessment and themes identified from campus senior level interviews with campus risk intelligence efforts and generate the FY2018 internal audit plan. NCAA Report Annual Review Limited scope review to confirm the accuracy of the financial data included in the OPERS NCAA Equity in Athletics Data Analysis (EADA) Report for Fiscal Year Spreadsheet Use and Reporting Survey Identify selected campus data and reporting sources originating from manually created spreadsheets and selectively test data cells for correctness using spreadsheet analysis software. Data Analytics Initiative Using data analytics software, collect and test large data sets for various attributes, including the detection of errors, irregularities, fraud, patterns, trends, and inefficiencies in operations. 10

11 Schedule 3B FY17 Audit Plan-Strategic Alignment Project Distributed User Authentication Controls IT End Point Security (BigFix) Laptop Security Independent Contractors Export Control Awareness Update Laser Safety Conflict of Interest Disclosures on Federal Contracts Chancellor's Expenses BFB- G-45 Annual Report on Executive Compensation (AREC) Use of Consultants OPERS Financial Review Summer Session Operations Strategic Initiative Presidents Cybersecurity Initiative Presidents Cybersecurity Initiative Presidents Cybersecurity Initiative Balanced Operations Research Infrastructure Identity and Reputation Research Infrastructure Student Success Identity and Reputation Research Infrastructure Identity Regents Identity and Reputation Regents Identity and Reputation Balanced Operations Balanced Operations Student Success Balanced Operations Student Success Systemwide or Systemwide Systemwide Systemwide Systemwide Systemwide How does this Project Help Support this Strategic Initiative? Assesses user authentication and access controls contributing to a better understanding and identification of the campus cybersecurity posture. Assesses security configuration and computer security monitoring contributing to a better understanding and identification of the campus cybersecurity posture. Assesses security over laptop computers contributing to a better understanding and identification of the campus cybersecurity posture. Addresses appropriate use of independent contractors and contributes to better understanding of campus needs and opportunities for balanced operations. Supports the research infrastructure by helping ensure campus researchers are aware of and have access to support in the area of export control. Helps avoid the impact of an event that could harm the campus reputation. Supports research infrastructure by helping provide a safe research environment. Supports student success by providing assurances and addressing opportunities for improving the safety of students and maintaining a safe learning environment. Helps avoid the impact of an event that could harm the campus reputation. Supports the research infrastructure by helping ensure campus researchers are not engaging in activities that would be considered a conflict of interest. Helps avoid the impact of an event that could harm the campus reputation. Provides assurances to the Regents that Chancellors expenses are appropriately used. Helps avoid the reputational harm that could occur if funds were not appropriately used. Provides assurances to the Regents that Executive Compensation is appropriate. Helps avoid the reputational harm that could occur if there was a overage in funding provided to campus executives. Addresses extent and appropriateness of use of consultants and contributes to better understanding of campus needs and opportunities for balanced operations. Addresses student needs for ensuring referenda fees are appropriately managed and opportunities for better understanding the costs of delivering campus recreational and athletics programs. Addresses Summer Session administration and opportunities supporting balanced operations. Supports student success by providing greater options for retaining and availability of courses needed for graduation. 11

IV. INTERNAL AUDIT RISK ASSESSMENT / INTEGRATION WITH CAMPUS RISK INTELLIGENCE The internal audit risk assessment is an annual and on-going predictive risk based exercise established to identify

12 IV. INTERNAL AUDIT RISK ASSESSMENT / INTEGRATION WITH CAMPUS RISK INTELLIGENCE The internal audit risk assessment is an annual and on-going predictive risk based exercise established to identify concerns and potential risk areas to be considered for inclusion in the annual audit plan and as a source of campus risk intelligence gathering. It is relied upon by senior campus leadership as an independent perspective on potential areas of campus risk. Refer to Table 1- AMAS Risk Assessment Process below. The approach as prescribed by the UC Internal Audit Program begins with the UC audit risk universe consisting of over 180 campus entities and processes. (Refer to Appendix B). Each audit risk universe topic is risk ranked and scored using UC audit risk factors. Refer to Table 2 - Risk Assessment Factors and Scoring. Input into the process included consideration of themes and concerns generated from more than 43 interviews conducted with campus leaders. (Refer to Appendix C). High risk topics were integrated with campus risk intelligence and compliance program efforts, the campus risk register, and the risk intelligence priority list maintained by the Ethics and Compliance Officer (CECO). This year s list of top rated topics is included in Appendix A and used to generate the FY2017 internal audit plan. The FY 2017 internal audit plan was shared with the campus Risk Intelligence Oversight Committee for review and concurrence, and forwarded to the Chancellor for final approval. Table 1- AMAS Risk Assessment Process 12

13 Table 2 AMAS Risk Assessment Factors and Scoring 13

14 Available upon request APPENDIX A Top Rated Topics from Audit Universe APPENDIX B UC Audit Universe APPENDIX C List of Leaders Interviewed by Position 14

FY15 Annual Risk Assessment and Internal Audit Plan

Internal Audit Program Planning Report FY15 Annual Risk Assessment and Internal Audit Plan Report No. SC-14-53 June 2014 Approved Barry Long, Director Internal Audit & Advisory Services Table of Contents